Aircraft Autolander Safety Analysis Through OptimalControl-Based Reach Set Computation

Alexandre M. Bayen∗

University of California at Berkeley, Berkeley, California 94720-1710

Ian M. Mitchell† and Meeko M. K. Oishi‡

University of British Columbia, Vancouver, British Columbia V6T 1Z4, Canada

and

Claire J. Tomlin§

Stanford University, Stanford, California 94305-4035

DOI: 10.2514/1.21562

Amethod for thenumerical computation of reachable sets for hybrid systems is presented andapplied to thedesign

and safety analysis of autoland systems. It is shown to be applicable to specific phases of landing: descent, flare, and

touchdown. The method is based on optimal control and level set methods; it simultaneously computes a maximal

controlled invariant set and a set-valued control law guaranteed to keep the aircraft within a safe set of states under

autopilot mode switching. The method is applied to the sequenced flap and slat deflections of a simplified model of a

DC9-30. The paper concludes with a demonstration of the method on higher dimensional aircraft models.

Nomenclature

b = wingspan, mCL, CD = lift and drag coefficientsD��; V� = drag of the aircraft, Ne = efficiency factorf�x; u� = continuous system’s dynamicsH�x; p� = Hamiltonian of the systemhalt = missed approach altitude, mh� = parameter of CL depending on flap deflectionJ�x; t� = solution of the Hamilton–Jacobi equationJ0�x� = implicit surface function representing the unsafe set

V0

K = modeling constantL��; V� = lift of the aircraft, Nm = mass of the aircraft, kgp = costate of the systemS = wing areaT = thrust of the aircraft T 2 �0; Tmax�, Nu = input thrust and angle of attack or its derivativeu� = optimal inputV = velocity of the aircraft, m=sV�t� = reachable setV0 = a priori unsafe setW = maximal controllable set or set of controllable statesW0 = safe flight envelope in a modeX = state space, R3 or R4

x = state vector of the aircraft, x� �V; �; z�z = altitude of the aircraft, m_z0 = maximal touchdown vertical velocity, m=s� = angle of attack of the aircraft, � 2 ��min; �max�, deg� = flight-path angle of the aircraft, � 2 ��min; �max�, deg� = flap setting, deg� = pitch of the aircraft, deg� = air density, kg=m3

Introduction

O NE of the key technologies for design and analysis of safetycritical and human-in-the-loop systems is verification, which

allows for heightened confidence that the system will perform asdesired. In the context of the present work, verification consists ofproving that, from an initial set of states (for example, aircraftconfigurations), a system can reach another desired set of states(target) while remaining in an acceptable range of states (envelope).The subset of states that can reach the target while remaining in theenvelope is called the set of controllable states or the maximalcontrollable set. For example, if an aircraft is landing, the initial set ofstates is the set of acceptable aircraft configurations, or states, such asposition, velocity, flight-path angle, and angle of attack, of theaircraft a few hundred feet before landing; the target is the set ofacceptable aircraft states at touchdown; and the envelope is the rangeof states in which it is safe to operate the aircraft. A safe landingtrajectory is one that starts from the set of initial states, is contained inthe envelope, and reaches the target in finite time.

Although the verification of discrete state systems is a relativelywell-explored field for which efficient tools have been successfullydeveloped [1,2], algorithms for verification of continuous statesystems have been developed relatively recently [3,4]; verifying anuncountable (infinite) set of states represented by continuousvariables requires a numerical treatment that is theoretically moredifficult than for discrete systems and harder to implement inpractice. A possible approach is to use the Hamilton–Jacobi partialdifferential equation (HJ PDE). The HJ PDE framework models theenvelope as the zero sublevel sets of a user defined function. Thisfunction is used as a terminal condition for a HJ PDE that isintegrated backward in time. The result of the integration provides anew function, the zero sublevel sets of which can be shown to be theset of points that can reach the target while staying in the envelope,i.e., the maximal controllable set. The HJ PDE framework alsoprovides a set-valued control law, which indicates the range of

Received 4 December 2005; revision received 19 June 2006; accepted forpublication 22 August 2006. Copyright © 2006 by the American Institute ofAeronautics and Astronautics, Inc. All rights reserved. Copies of this papermay be made for personal or internal use, on condition that the copier pay the$10.00 per-copy fee to the Copyright Clearance Center, Inc., 222 RosewoodDrive, Danvers, MA 01923; include the code $10.00 in correspondence withthe CCC.

∗Assistant Professor, Department ofCivil andEnvironmental Engineering,Davis Hall 711; bayen@berkeley.edu. Member AIAA (correspondingauthor).

†Assistant Professor, Department of Computer Science; mitchell@c-s.ubc.ca.

‡Assistant Professor, Department of Electrical and Computer Engineering;moishi@ece.ubc.ca. Member AIAA.

§Associate Professor, Department of Aeronautics and Astronautics; andAssociate Professor, Department of Electrical Engineering and ComputerSciences, University of California at Berkeley, Berkeley, CA; tomlin@stanford.edu. Member AIAA.

JOURNAL OF GUIDANCE, CONTROL, AND DYNAMICS

Vol. 30, No. 1, January–February 2007

68

allowable control inputs that can be applied as a function of thecontinuous state, to keep the system inside the maximal controllableset.

The benefit of this approach, sometimes called reachabilityanalysis, is that it provides a proof (for the mathematical modelsused) that the system will remain inside the envelope and reach thetarget. This is to be contrasted with Monte Carlo methods, which donot provide any guarantee for trajectories that are not part of thesimulation. Monte Carlo methods have historically been used toexplore the possible trajectories a system might follow. The morefinely gridded the state space, the more information the Monte Carlosimulations will provide. However, this class of methods isfundamentally limited in that it provides no information about initialconditions in between the grid points. A second benefit ofreachability analysis is that it complements the traditional gain-scheduled linear control design methods used for commercial flightsystems [5]. Aswill be seen in this paper, reachability analysis can beapplied to analyze the behavior of the aircraft over the full flightenvelope and can generate a least restrictive control filter that is onlyapplied if the aircraft state gets close to the boundary of the maximalcontrollable set. Inside the maximal controllable set, traditionalcontrollers designed to optimize, for example, performance orpassenger comfort would be applied. Finally, the reachable setframework encompasses systemswith inputs; thus, control problemswith cooperating inputs or differential game problems withcompeting inputs (from different players) can be treated effectively.

The validity of this proof goes back to the discovery of theviscosity solution [6,7] of the HJ PDE. Before this, methods based ondifferential games [8] (or optimal control, for only one player)provided, at best, certificates that specific trajectories of the systemstayed inside of the envelope but did not provide guarantees on sets.The advent of level set methods [9–11] enabled numericalcomputation of the viscosity solution, with a theoretical proof ofconvergence of the numerical result to the viscosity solution. Inparallel, viability theory [12] provided engineers with an equivalentapproach to solve the same problems, leading to a new suite ofnumerical schemes [13] developed to solve differential gameproblems [14]. These numerical schemes have also been proved toconverge to the viscosity solution of the HJ PDE, providing the sameguarantees as level set methods. These methods have now beenextended to treat hybrid systems, which combine continuous stateand discrete state dynamics [15–18].

When the actual implementations of these methods becameoperational in the late 1990s, the computational power limited suchcomputations to two dimensional systems [13,15]. Algorithmicimprovements and the increase in computing power now enablecomputations for systemswith continuous state dimension up to fouror five depending on the mathematical characteristics of thedynamics considered. This is a major technological breakthroughthat now allows the treatment of problems involving realistic modelsof physical systems. This gives aerospace engineers anunprecedented ability to use these methods for analysis and safetyverification of aircraft control systems, which are inherently hybrid,i.e., their evolution exhibits continuous behavior (position andvelocity change) as well as discrete behavior (autopilot modeswitches). For example, the motion of a landing aircraft is describedby continuous variables, but it undergoes different discrete flapsettings during landing, which have distinct dynamics and can beviewed as discrete modes that the pilot selects by pushing a lever orbuttonwith the corresponding setting. Interestingly, landing is one ofthe few portions of the flight that is not fully automated; in particular,flap deflection is still operated manually by pilots.

Aerospace engineering offers a long list of examples of algorithmsor methods that slowly made their way from research toimplementation onboard physical aircraft. The most famousexample is probablyBryson’sminimum time to climb control historycomputation for a supersonic jet fighter (the F4) [19]. Reachabilityanalysis is one such example, and it is now at a stage where systemimplementations have become possible. It has been used in researchon air traffic control, for enhanced traffic management system dataclassification [20], for soft wall analysis [21], and in conflict

resolution and analysis [22]. It has also been used for underwatertechnology: five-dimensional reachability computations have beenimplemented on a glider submarine at the French Department ofDefense [23]. Hardware implementation of reachable setcomputations has led to successful demonstrations of automatedunmanned aerial vehicles conflict avoidance [24]. This technologywas implemented in a T33 aircraft and a F15 aircraft, and a successfulconflict resolution maneuver was realized, demonstrating thefeasibility of the method for manned aircraft [24,25]. This providesevidence that an actual implementation on a civilian airliner of theschemes presented in this paper is feasible and realistic, which is themotivation for this paper.

This paper presents several contributions. First, a model of aircraftlongitudinal dynamics is presented and analyzed. The model iswritten in such a way that it is possible to find an analyticalexpression of the optimal input to apply in the reachabilitycomputation of interest. This is a remarkable property given themodel; in general, optimal Hamiltonians in HJ PDEs have to becomputed numerically. The second contribution is the application ofthe technique to successive phases of landing. The novelty of thisresult lies in the hybrid reachability computation, a field for whichfew nonacademic examples (such as this one) exist. The hybridnature of the model makes it possible to compute the maximalcontrollable set, despite the fact that the system switches dynamicsseveral times through the landing. Finally, these results are extendedto higher dimensional models, which incorporate flap dynamics inthe formof amore realistic description of the evolution of the angle ofattack.

This paper is organized as follows: The first section of this paperpresents the model of the longitudinal dynamics of the aircraft, aswell as the definition of the safety envelopes in the different modes ofthe aircraft (e.g., descent, flare, go-around) with corresponding slatand flap deflections. The following section presents the method usedto do the verification and the corresponding input to apply to keep theaircraft inside the flight envelope. This method is then generalized tohybrid systems and applied to the successive flap and slat deflectionsof a DC9-30 in final approach. Finally, current research directionswith higher dimensional models are shown. Themodel of the aircraftis refined, and the numerical technique is adapted accordingly. Theappendix presents the proof of optimality, which is necessary for thesolution of the HJ PDE.

Physical Model

This section presents the equations of motion used to model theaircraft’s longitudinal dynamics. The aerodynamic properties of theaircraft are derived from empirical data as well as fundamentalprinciples. The aircraft envelopes are derived using the aircraftcharacteristics as well as regulations.

Equations of Motion

The longitudinal dynamics of an aircraft are modeled using theframe of reference shown in Fig. 1. The state variables are thevelocity, the flight-path angle, and the altitude. The state of thesystem is called xT � �V; �; z�. A point mass model is considered inwhich the aircraft is subjected to forces of thrust, lift, drag, and mg

Fig. 1 Point mass force diagram for the longitudinal dynamics of the

aircraft.

BAYEN ET AL. 69

due to gravity. The equations of motion for this system read

d

dt

V�z

24

35�

1m�T cos� �D��; V� �mg sin ��

1mV

�T sin�� L��; V� �mg cos ��V sin �

24

35 (1)

In Eq. (1), T and � are the inputs. In some modes (i.e., portions oflanding), T might be fixed at nominal values Tidle or Tmax, whereTidle � 0:2 Tmax and Tmax is the maximal thrust. Although the pilothas control over elevator deflection, the model assumes that it cancontrol � directly. A realistic model would assume that the pilot hascontrol over ��. This is unfortunately not possible given the currentlyavailable computing resources. The validity as well as limitations ofthese assumptions will be discussed in the last section of this paper.

Aerodynamic Properties of the Aircraft

In a commonly accepted approximation (see, for example,[26,27]), lift and drag depend on the two flight parameters � andV aswell as on numerous characteristics of the aircraft. The model ofthese characteristics is expressed by the dimensionless lift and dragcoefficients defined by

CD � D

�1=2��SV2and CL �

L

�1=2��SV2(2)

The coefficientCL can be computed for an ideal lift using thin airfoiltheory. CL is a linear function of � given by

CL��� � CLo� CL�

� (3)

where CLois the lift coefficient at zero angle of attack and CL�

is thelift coefficient slope. Figure 2 shows a typical affine model ofCL���for differentflap and slat deflections aswell as the corresponding stallangles �max, above which Eq. (3) is not valid and the aircraft mightbecome uncontrollable. As seen, CL increases with flap deflection,but the stall angle �max decreases. The stall angle �max increases withslat deflection. The terminology used in this figure and the deflectionangle values correspond to a DC9-30 aircraft. For drag, becausecoefficients are not available, estimates have to be used. A procedureadvocated byKroo [27] is followed. From lifting line theory [28], thedrag coefficient CD can be computed using the drag polar:

CD � CD �C2

L

� AR 0:95 e� CD � K C2L (4)

where CD accounts for the drag of the body of the aircraft, the slats,the flaps, and the landing gear. The second term accounts for draginduced by lift K � 1=�� AR 0:95 e� and is a constant (itsnumerical value will be given later for a specific aircraft). AR is theaspect ratio of the aircraft defined by AR� b2=S. The efficiency

factor is corrected by 0.95 for the landing configuration. Theefficiency factor quantifies the difference in performance betweenidealized lift (available from lifting line theory [28]) and actual lift(which accounts for the assumptions made in the idealized case).

In a typical autoland maneuver (Fig. 3), the aircraft begins itsapproach approximately 10 nmile from the touchdown point. Theaircraft descends towards the glide slope, an inertial beam that theaircraft can track. The landing gear is down, and the pilot sets theflaps at the first high-lift configuration in the landing sequence. Theautopilot captures the glide slope signal around 5 nmile from thetouchdown point. The pilot increases flap deflection to effect adescent without increasing speed (indicated by larger � in the flapsettings). The pilot steps the flaps through the different flap settings,reaching the highest deflection when the aircraft reaches 1000 ft inaltitude. At approximately 50 ft, the aircraft leaves the glide slope andbegins the flare maneuver, which allows the aircraft to touch downsmoothly on the runway with an appropriate descent rate. Thedeflection of the slats is correlated with the deflection of the flaps inan automated way.

Flight operating conditions are defined by the limits of aircraftperformance, as well as by airport and FAA regulations [29]. Theaerodynamic envelope for each discrete mode is the set of states inwhich the aircraft should remain. The envelope is associated with aset of operating conditions, which are allowed ranges of input signalsfor each discrete state. Given this set of operating conditions, thecontrollable subset of the envelope is defined as that subset fromwhich it is possible tomaintain the aircraft in the envelope. States notin the controllable subset are such that no matter what input the pilotchooses, the pilot will not be able to prevent the state from exiting theenvelope.

During descent and flare, the aircraft proceeds through successiveflap and slat settings. In each of these settings, the safe set is definedby bounds on the state variables. The maximal allowed speed Vmax isdictated by regulations. The minimal speed is related to the stallspeed by Vmin � 1:3 Vstall. The minimal speed is an FAA safetyrecommendation; the aircraft might become uncontrollable belowVstall. The stall speed is given by the formula

Vstall ������������������2mg

�SCLmax

s(5)

Here, CLmax:� CLo

� CL��max is the maximal lift coefficient

(denoted by a dot in Fig. 2) obtained at the stall angle �max.During descent, the aircraft tracks the glide slope (GS) and must

remain within �d� of the glide-slope angle �GS. As a result, theflight-path angle in flare mode can range from �min � �GS � d� to�max � �GS � d�. As the aircraft reduces its descent rate to landsmoothly (in the last 50 ft before touchdown), this range becomes��GS � d�; 0 deg�. By regulation, the flight-path angle � is thusrestricted to lie in the interval ��min; 0 deg�. (Typical values forlanding are d� ��0:7 deg, �GS ��3:0 deg; thus, �min��3:7 deg. Note that this is a conservative approximation. Otherstudies have suggested to extend this range to ��6 deg; 0 deg�.¶)−5 0 5 10 15 20 25

−0.5

0

0.5

1

1.5

2

2.5

3

angle of attack α (deg)

CL

clean wing δ=0flap deflection δ=25

flap deflection δ=50

Slats deflected

(Dimensionless Lift Coefficient)

Slats retracted

Fig. 2 Lift coefficient model for three different flap settings (�� 0, 25,and 50 deg) and for deflected/retracted slats.

Rollout

Flare

1000’

50’

Glide slope signal

Glide slope capture

Fig. 3 Typical landing profile.

¶Charlie Hynes, private communication.

70 BAYEN ET AL.

During descent and flare, thrust should be at idle, but the pilot can usethe full range of the angle of attack. In the following computations,wewill thus use ��min; 0� as the set for �, which encompassesflare andapproach. A more detailed analysis of the sets ��GS � d�; �GS � d��and ��min; 0� and the corresponding switches is provided in [30].

Parameters:

8>>><>>>:V � Vmin faster than stall speed

V Vmax slower than limit speed

� � �min limited descent flight path

� < 0 monotonic descent

Inputs:

�T � Tidle thrust at idle

� 2 ��min; �max� full range available

(6)

At touchdown (for z� 0 and with a negative descent velocity_z�0�< 0), the restrictions on the parameters are the same as in theprevious paragraph for the state space except for the descent velocity.This last requirement becomes _z�0�> _z0, where _z0 is a constant andrepresents the maximal touchdown velocity (to avoid damage to thelanding gear). The subscript 0 in _z0 denotes z� 0 (ground). Thiscondition thus reads V sin � � _z0. In summary,

Parameters:

8>><>>:V � Vmin faster than stall speed

V Vmax slower than limit speed

V sin � � _z0 limited touchdown velocity

� < 0 monotonic descent

Inputs:

�T � Tidle thrust at idle

� 2 ��min; �max� full range available

(7)

Safety Analysis

The state bounds described in the previous section define safeflight envelopes for the different types of flight conditions in whichthe aircraft operates. The states in these envelopes are not necessarilycontrollable, i.e., it might not be possible to maintain the aircraft inthe flight envelope from any of these states. (Note that the wordcontrollable is used in a nontraditional way here and throughout thearticle. By saying that a state is controllable, it is understood that it ispossible to keep it inside the safety set. This property is sometimesreferred to as viable [12] or control invariant [15,30].) For example,an aircraft traveling just above stall speed and already at a steepnegative flight-path angle might inevitably stall or start to descendtoo quickly. Thus, it is necessary to determine what subsets of theseenvelopes are actually controllable given the input authorityavailable to the pilot or autopilot. Because the nonlinear dynamics ofthemodel (1)make analytic determination of the controllable subsetsimpossible, a previously developed computational algorithm forfinding controlled invariant sets for this problem is used [3].

Computation of the Reachable Set

Given some dynamically evolving system and some set of a prioriunsafe states, the (backward) reachable set is defined as the set of allsystem states that reach V0 in time t. For the autoland system, inwhich the model is extended to several modes with differentenvelopes and dynamics, V0 will represent, in each discrete mode,the region outside the aerodynamic flight envelope. If a system’sdynamics are influenced by inputs, these inputs may either try todrive the state toward or away from the unsafe set; for the airplaneautopilot the inputs (� and T) will do the latter.

Computing the reachable set in a discrete system with a finitenumber of states, and hence a finite number of possible transitions, isa straightforward but possibly time consuming task of enumeratingall the states that have a path to the target set. Computing reachabilityfor a continuous system is a much more difficult undertaking, forexample, how should the uncountably many states in any nontrivialunsafe set be represented?

An algorithm for computing the reachable sets of continuoussystems with nonlinear dynamics was developed based on a time-dependent HJ PDE [3]. LetX be the continuous system’s state space,

and let _x� f�x; u� be the system’s dynamics, where the input u 2 Utries to keep the system from reaching the unsafe set. Define acontinuous function (sometimes called an implicit surface function)J0: X ! R such that

V 0 � fx 2 XjJ0�x� 0g

V0 is the zero sublevel set of the level set function J0�x�. In earlierwork [3] it is shown that, by solving the terminal value HJ PDE,

DtJ�x; t� �min�0; H�x;DxJ�x; t��� � 0 for x 2 X; t < 0

J�x; 0� � J0�x� for x 2 X; t� 0

(8)

where

H�x; p� �maxu2U

pT f�x; u�

for the function J: X � ��1; 0� ! R. An implicit representation ofthe reachable set is obtained:

V �t� � fx 2 XjJ�x;�t� 0g

The set-valued control synthesized from this calculation is

u��x; p� � argmaxu2U

pT f�x; u� (9)

It is “set valued” because the argument maximum (argmax) is notnecessarily unique.

Analytically solving (8) for a general J0�x� and f�x; u� is likely tobe impossible. Computational algorithms are complicated by the factthat, even for smooth J0�x� and f�x; u�, the solution J�x; t� candevelop discontinuities in its derivatives after finite time and hencecease to solve (8) in a classical sense. The appropriate weak solutionof (8) in this case turns out to be the viscosity solution [7], and levelset algorithms [9] are numerical techniques developed to computesuch solutions. A set of high-resolution schemes [3] has beendeveloped based on novel numerical techniques [10,11] to computeJ�x; t�, and hence the reachable set, very accurately.

Computation of the Optimal Input

The optimal input u��x� at a given state x represents a choice of uthat will maximize the Hamiltonian at that point x. The physicalinterpretation of u��x� is thus as follows: For a point inside thereachable set, it is known from reachability analysis [3] that atrajectory starting inside the reachable set will lead to the target set (7)while maintaining the state x inside the envelope (6) provided theoptimal control u��x� is applied to the system along the trajectory.Note, however, that it is sufficient to apply the optimal control to thesystem on the boundary of the reachable set, which therefore enablesthe synthesis of less restrictive controllers (thus leaving flexibility foroptimization of other flight parameters inside the reachable set). Theword “optimal” thus refers only to the maximality of theHamiltonian. Note that no cost functional is optimized explicitly inthe present case, though an interpretation of optimality can be givenin terms of maximization of the distance between the state and theboundary of the envelope at any given time (see [3] for more detail).

The computation of the optimal input u��x� is, in general,extremely expensive because it is a nonconvex optimizationproblem, which therefore requires exhaustive search on the domainof interest. In the present case it would require maximizing H overthe ��; T� space. However, for this particularmodel, the optimizationproblem can be reduced to checking six points, which iscomputationally tractable. The case in which the input is restricted to�0; �max� � �0; Tmax� is investigated. The case in which negativeangles of attack are considered is obtained by slight modifications ofthe method shown next [31].

Proposition 1: The optimal input u��x�≜ ���; T���argmaxu2UpT f�x; u� is never in the range ��; T� 2��min; �max���0;

BAYEN ET AL. 71

Tmax�. In otherwords, one of the two inputs ��; T� is always extremal.

(The notation �a; b�≜�a; b� denotes the open interval between a and

b. This is sometimes denoted �a; b�, but this would lead to confusionwith other notation of this paper. Note that in the formula definingu�,the dependency of the costate on variables has been omitted forsimplicity of the definition.)

Proposition 2: The optimal input ���; T�� is found among the sixfollowing values: �0; 0�, �0; Tmax�, ��max; 0�, ��max; Tmax�,��1; Tmax�, and ��2; Tmax�, where �1 and �2 solve a quadratic and atranscendental equation, respectively, shown in the Appendix.

The proofs are presented in the Appendix.

Computation of the Controlled Envelopes

Consider the aircraft in a givenmode (e.g., in a given portion of thelanding). The numerical values of the parameters in the dynamics (1)can be computed. Let W0 be the safe flight envelope in this mode,and let Wc

0 be its complement. To determine the maximalcontrollable subset W of W0, set V0 �Wc

0, and run a reachabilitycomputation in which the inputs attempt to keep the system awayfrom V0 (or equivalently, within W0). The reachable set typicallyconverges to a fixed point: V�t� ! V as t ! �1. In that case, thelargest controllable subset of the envelope is the complement of thefixed pointW � Vc. An example is shown in Fig. 4. In thisfigure, thedark set isW for each of the correspondingmodes, and the gray set isW0. The controlled set is the set of points which can touch the groundsafely without flying out the box while staying in that mode. As canbe seen on the left subplot, in the mode 0u (undeflected flap andslats), this set is bounded in height, whichmeans that it is not possibleto land safely in this mode. Only three modes are represented here;the two transition modes are omitted because the pilot has noswitching control while the system is in these modes.

Flap Deflection: Hybrid Reachability

In the preceding section, continuous reachable set computationsfor each discrete state were described; in this section, a discussion ispresented to understand how mode switches should be incorporatedinto the design. The difficulty here is to compute the maximalcontrollable sets given that the switches (and correspondingdynamics and envelope changes) can occur at arbitrary times. Thistype of computation would be needed for automating flap deflection,as one needs to know when it is safe to switch mode. A generalalgorithm has been developed in [15,18] to solve such problems. A

variation of this algorithm suitable for successive deflections of flapsfor a landing DC9-30 is now presented.

Physical Problem and Hybrid Model

In the process of landing described in the preceding sections, theaircraft successively deflects the flaps and slats from 0 deg (cleanwing) to the maximal deflection. The 0 deg modes are alternativelylabeled 0u (for undeflected) or 0r (for retracted). Each of thesedeflection angles aswell as the transitions between them is associatedwith different envelopes as well as operating conditions. Thus,transitioning from one configuration to another might drive thesystem into an unsafe state. The following question is nowof interest:starting from a given position in space (altitude) with given flightconditions (speed, flight-path angle, and flap deflection) and withfixed thrust, is there a switching policy (i.e., a set of successive flapdeflections/retractions) for which there exists an input (angle ofattack) able to bring the aircraft safely to the ground?

The usual landing procedure requires the deflection of the flaps tobe increasing in angle. This is modeled with a hybrid automaton,shown in Fig. 5. The intermediate flap deflection is 25 deg. The (slat)retracted state is denoted with r; the (slat) deflected state is denotedwith d. There are three possible wing configurations: 0, 25, and50 deg deflection. The lift coefficients for these modes arerepresented in Fig. 2. The safe set for these three modes is generatedaccording to the preceding section. For the transition from one modeto another, the lift is approximated by the mean of the two values ofthe lift (in the two correspondingmodes) and the stall angle is chosento be the one that is the most restrictive (to have a conservativeapproximation). For example, in mode 25d ! 50d, the coefficientCL��� at a given � is the mean of CL��� for �� 25 deg and CL���for �� 50 deg. The �max for thismode is theminimum of the �max inmode 25d and �max in mode 50d, i.e., 16 deg (see Table 1 or Fig. 2).The stall speed can then be computed using Eq. (5). It is assumed thatthe time the system has to remain in mode 0r ! 25d or 25d ! 50dis 10 s, which is the order of magnitude it takes to achieve half themaximal deflection of the flaps on a DC9-30. This implies that in thehybrid automaton of Fig. 5 the switches from mode 0r ! 25d tomode 25d and from 25d ! 50d to mode 50d happen automatically10 s after the switch to mode 0r ! 25d and mode 25d ! 50d,respectively. Most of the parameters for the DC9-30 can be found inthe literature [26,27,32,33]. The previously derived model enablesthe computation of the lift and drag. The values of the numericalparameters used for the DC9-30 are m� 60; 000 kg,Tmax � 160; 000 N, g� 9:8 m=s2, e� 0:84, S� 112 m2, and

Fig. 4 Flight envelope W0 in each mode (gray). Controlled set W within each mode (dark), with no switching allowed.

clean wing:

mode 0r

slats retractedflaps: δ = 0 deg

mode 0r → 25d

slats deflection

flaps deflection

mode 25d

slats deflected

flaps: δ = 25 deg

mode 25d → 50d

flaps deflection

mode 50d

slats deflected

flaps: δ = 50 deg

Fig. 5 Transition diagram from clean wing, no flap/slat deflection (0r), to fully deflected wing (50d).

72 BAYEN ET AL.

�� 1:225 kg=m3. The lift and drag forces are thus (in dimensionalform)

L��; V� � 68:6�h� � 4:2��V2 N

D��; V� � �2:7� 3:08�h� � 4:2��2�V2 N(10)

where h� � CL�0 deg� depends on the flap setting. The letter Nindicates that the units areNewtons (ifV is taken inm=s). A summaryof all constants for the DC9-30 is shown in Table 1.

Hybrid Algorithm

The modes in Fig. 5 can be divided into three classes according tothe type of their outgoing transition. The simplest ismode 50d, whichhas no outgoing transition and hence is treated by solving (8) withoutswitches enabled. The controllable subset of the envelope iscomputed by solving (8) until it converges (after about 15 s ofsimulated time). A similar procedure can be run on the other twomain modes (0r and 25d) to determine what subsets of theirenvelopes are controllable without mode switches. To determine thecontrollable subsets with mode switches enabled, the remainingmodes are split into two classes depending on whether the switch tothe subsequent mode in the sequence is controlled by the pilot(modes 0r and 25d) or timed (the two transition modes).

A timed mode is a mode from which the system automaticallyswitches at t� tf. A state �V; �; z� in a timed mode is safe if both oftwo conditions hold: First, it must give rise to a trajectory thatremains within the flight envelope of the timed mode for allt 2 �0; tf�; otherwise, the trajectory becomes unsafe before the modeswitch. Second, the state of the trajectory at t� tf must be within thecontrollable envelope of the subsequent mode; otherwise, thetrajectorywill become unsafe at some time after themode switch. LetW0 be the safe flight envelope in the timedmode, and letWnext be thecontrollable envelope for the subsequent mode, which has alreadybeen computed numerically. The reachability computation for thetimed mode then uses V0 � �W0 \Wnext�c as initial conditions.Inputs are used to steer the system away from V0, and thecomputation is run backwards only to�tf, which is typically short ofconvergence. The controllable envelope for the timed mode is thenW � V�tf�c.

A controlled mode is a mode fromwhich the systemmay switch atany time to avoid becoming unsafe. A state �V; �; z� in a controlledmode is safe if any one of three conditions hold: First, it may give riseto a trajectory that always remains within the safe envelope of thecontrolled mode in which case it is safe without switching. Second, itmay be within the controllable envelope of the subsequent mode inwhich case it is safe due to an instantaneous switch. Third, itmay give

rise to a trajectory that remains within the safe envelope of thecontrolled mode until it reaches a state that lies within thecontrollable envelope of the subsequent mode in which case it is safedue to a delayed switch. Note that a statemay satisfymore than one ofthese conditions.

The controllable subset of a controlled mode’s envelope iscomputed using a slight modification of the reach–avoid procedureoutlined in previous work [15]. LetW0 be the safe flight envelope ofthe controlledmode, and letWnext be the controllable envelope of thesubsequent mode. The first condition for safety is represented in thereach–avoid computation by settingV0 �Wc

0, as would normally bedone. The difference in a reach–avoid computation lies in the “avoid”or “escape” set A, which represents the other two safety conditionsthat become available due to the controlled mode switch. Anytrajectories that enter this set may safely switch to the subsequentmode and hence are deemed safe in the controlled mode. In this case,A is set toA�Wnext \W0. For the reach–avoid computation, it isassumed that JA�x� such thatA� fx 2 XjJA�x� 0g. Then V�t� iscomputed according to (8) subject to the additional constraint thatJ�x; t� � �JA�x� for all t. In the two modes of interest (0r and 25d),the reach–avoid computation achieves a fixed point V, and thecontrollable envelope for thesemodes is the complement of thisfixedpoint W � Vc. For the particular sets and dynamics of these twomodes, it turns out that V �Ac, for all safe states there exists a safeinstantaneous switch to the subsequent mode, but that need not betrue in general.

Results

The results of the reachability computation are shown in Figs. 4, 6,and 7.

Figure 4 shows the set of controllable states in modes 0u, 25d, and50d without switching (dark), as well as the corresponding flightenvelopes (gray). This figure shows the boundary of the flightenvelope as well as the computational result for W, which is thelargest set contained inW0 such that the pilot can touch down safely.As can be seen from Fig. 4, portions of W0 are excluded from W.There are three reasons for this fact.

1) For low speeds, there is not enough lift/thrust to prevent theaircraft from stalling almost immediately: In the state space �V; �; z�a point too close to the faceV � Vmin inW0 will not be able to stay inW0 and will exit this box through the V � Vmin face.

2) For steepflight-path angles (close to the � � �min face in theW0

box), the aircraft has too steep of a flight-path angle to maintain it inthe box: The state space exits the box through the � � �min face.

3) Too close to the ground, with steep flight-path angle, the aircraftis not able to reach theV sin � � _z0 subset of the box and touches theground with too high a vertical velocity.

Table 1 Summary of flap/slat deflection specific numerical parameter values for the DC9-30

Mode Vstall Vmax �max h� �min �max

0r 79:01 m=s 83 m=s 16 deg 0.2 �3 deg 0 deg0r ! 25d 71:58 m=s 83 m=s 16 deg 0.5 �3 deg 0 deg25d 61:50 m=s 83 m=s 20 deg 0.8 �3 deg 0 deg25d ! 50d 60:46 m=s 83 m=s 18 deg 1.025 �3 deg 0 deg50d 57:75 m=s 83 m=s 18 deg 1.25 �3 deg 0 deg

Fig. 6 Flight envelope W0 in each mode (gray). Controlled set W within each mode (dark), with switching allowed.

BAYEN ET AL. 73

As can be seen, the only sets that are controllable in mode 0u areclose to the ground (the dark set does not extend higher than a fewmeters). This means that states too far from the ground are notcontrollable in mode 0u: It is not possible to touch the ground safelyin that mode from these states. For the other modes, some portions ofthe flight envelope are excluded from the set of controllable states.

The benefit of switching thus appears in Fig. 6. Mode 0u becomescontrollable by switching to mode 25d through the transition mode0r ! 25d. The dark set now extends vertically to the top of thecomputational domain. Figure 7 compares the maximal controllableset without switching with the maximal controllable set whenswitching is enabled. The difference between the two sets in mode25d is relatively small: switching frommode 25d leads to mode 50dthrough mode 25d ! 50d. Because this transition mode has to lastfor at least 10 s, the system might still exit the envelope beforeachieving mode 50d in which it becomes controllable. The envelopeis not shown here. The benefit of switching is obvious from the leftsubplot (the set of controllable states is bigger and allows safelanding). The set of controllable states for the 25d mode becomesslightly bigger as well. The mode 50d is not shown here because noswitching from that mode is available (Fig. 5) and therefore the onlyrelevant set in that mode is the set shown in Figs. 4 or 6 (right-handpart).

This type of computation can be used as a design mechanism forautopilots, to determine the times at which switches can be initiated.For example, reducing the speed in mode 0u requires switching;otherwise, the aircraft will most likely stall.

Current Work: Toward More Realistic Models

The model of the preceding sections assumes that the controlinputs of the aircraft are� andT. In reality the pilot has control over ��and T. The currently available computational resources enable fastcomputations of reachable sets for dimensions up to four. Thissection shows how such computation could be used. It is thereforeassumed that the pilot has control over _�. _� is the input and ranges inan interval that is known a priori and represents realistic rates ofchange of �, given known acceptable values of ��:

d

dt

V�z�

2664

3775�

1m�T cos� �D��; V� �mg sin ��

1mV

�T sin�� L��; V� �mg cos ��V sin �

u

2664

3775 (11)

The method presented in preceding sections applies to this newmodel. In this case, the computation of the optimal input is easier: theHamiltonian is given by

H�x; p� � p1

m�T cos� �D��; V� �mg sin �� � p2

mV�T sin�

� L��; V� �mg cos �� � p3V sin � � p4u (12)

Therefore, the optimal input T� can be determined as before, and theoptimal inputu� is sgn�p4�. For the four-dimensional system (11) the

envelope is now a four-dimensional set in the �V; �; h; �� space.Equations (6) and (7) mathematically define a three-dimensionalflight envelope in flaremode. Let us call this set E.With� now a statevariable, the flight envelope becomes E � ��min; �max�, and the task ofa controller is to maintain the state in this set. The problem can besolved as previously, and the result is a four-dimensional set such thatif the state of the system �V; �; h; �� is initially inside the set, thereexists a control that will keep it inside the four-dimensional envelopeE � ��min; �max�.

Figures 8 and 9 show three-dimensional slices of the four-dimensional controllable set. The four-dimensional maximalcontrollable set for a single mode (mode 50d) is computed. Thenumerical values are the same as in the preceding section, with_� 2 ��0:35; 0:35� rad=s and T � 0:7 Tmax.Figure 8 shows the slices for different �. These sets can be

compared with the sets of Figs. 4 for a single mode. For any given �slice, the sets of Fig. 8would be enclosed in their counterpart with (1)instead of (11). Equation (1) implies that the angle of attack can bechanged instantaneously, whereas (11) takes into account therotational inertia of the aircraft; therefore, it is harder to control thesystem through (11). These subplots provide the set of �V; �; z� thatare controllable when the dynamics (1) includes � as a state variable.As can be seen, starting from a very small � (�� 1 deg) or a verylarge � (�� 17 deg) restricts the set of �V; �; z� for which theaircraft can ultimately touch down.As can be seen for�� 1 deg, theset does not connect to the ground: The angle of attack (and,therefore, the lift) is too small, causing the flight-path angle tobecome too steep. For �� 17 deg, the set does not connect to theground either because the angle of attack is too high, causing eitherstall at low speed or causing the flight-path angle to become positiveat high speeds (because of the high lift). Between these two values of� landing is possible, which seems intuitive: If � is initially set to areasonable value, it is possible to reach the ground safely with theappropriate control.

Figure 9 should be interpreted as slices from a “reachability tube”in the four-dimensional space. For a given altitude, a three-dimensional slice gives the set of parameters for which the aircraft iscontrollable. As expected, the set decreases with altitude. As theaircraft approaches the ground, the set of states from which it ispossible to control the aircraft becomes smaller because there is lesstime to rectify an approach leading to a touchdown outside the safeset (7). As in Fig. 8, one can see that very large or very small values of� become uncontrollable close to the ground (see the slice atz� 2 m) because they lead to a touchdown outside the safe set (7).

Figure 9 illustrates how these results could be used for autopilotdesign. The method allows checking for all z if �V; �; z; �� is in theset of controllable parameters. This method could thus at every zprovide the appropriate input to apply to keep �V; �; z; �� inside themaximal controllable set as z further decreases.

Conclusion

The model of the longitudinal dynamics of a commercial jetaircraft that was presented in this paper was used to compute safety

Fig. 7 Comparison between the set of controllable states without switching (dark) and with switching (gray), from Figs. 4 and 6.

74 BAYEN ET AL.

envelopes of the aircraft in the different modes of landing. The mainoutcome of this paper is the construction of an input to apply to keepthe aircraft inside a user-prescribed flight envelope. The simulationsshown demonstrate the possibility of generating such a control for anactual aircraft. The method presented used concepts from hybridsystems theory and was successfully applied to the successive flapand slat deflection of a DC9-30 aircraft in final approach. Finally,higher dimensional reachability computations were displayed,which show the potential of the method for applications to moreaccurate models.

In the future, computational resources will allow the treatment ofhigher dimensional models (which would incorporate more

parameters and features of the systems). Therefore, the proofs ofsafety provided by our model are valid only within the limits of thismodel. They are relevant for current autopilots, as confirmed byrecent experiments realized on conflict avoidance maneuvers.Another approach currently under investigation is the possibility ofcomputing guaranteed approximations of the controllable set inhigher dimension.

Appendix

Proof of Proposition 1: The Hamiltonian associated with Eq. (1)reads

Fig. 8 Three-dimensional slices of the four-dimensional control invariant set corresponding to (11), for various values of �.

Fig. 9 Three-dimensional slices of the four-dimensional control invariant set corresponding to (11), for various values of z.

BAYEN ET AL. 75

pT f�x; u� � p1

m�T cos � �D��; V� �mg sin �� � p2

mV�T sin�

� L��; V� �mg cos �� � p3V sin �

(A1)

where u� ��; T�. The optimality condition reads

@�pT f�x; u��@u1

� @�pT f�x; u��@�

� p1 cos�

m� p2 sin�

mV� 0

@�pT f�x; u��@u2

� @�pT f�x; u��@T

��Tp1 sin�

m� p1

m

@D��; V�@�

� p2T cos�

mV� p2

mV

@L��; V�@�

� 0

(A2)

From (A2), the necessary conditions on the domain interior can becomputed:

�� � �tan�1�p1V

p2

�;

T� � 1��������������������������������1� �p1V=p2�2

p �p1V

p2

@D

@�

�tan�1

��p1V

p2

�; V

�

� @L

@�

�tan�1

��p1V

p2

�; V

��(A3)

Using the fact that, for this particular model of lift and drag, L��; V�is a linear function of� andD��; V� is a quadratic function of�, it canbe checked quite easily that the eigenvalues of the Hessianmatrix aregiven by

��� p1

2m

8<:@

2D

@�2�V� �

������������������������������������������������������@2D

@�2�V�

�2

��

2

sin�����2

s 9=; (A4)

where the dependence on � has been omitted when � disappears inthe differentiation. It can be easily checked that the two eigenvaluesare of opposite sign and that therefore pT f�x; u� can never beextremal at ���; T��. The extremum of pT f�x; u� is thus on theboundary of the domain.

Proof of Proposition 2: In Eq. (A1),

h�x; p� :� p1

m�T cos � �D��; V� �mg sin �� � p2

mV�T sin�

� L��; V� �mg cos ��

is the only part ofH�x; p� that depends on the input. To find ���; T��,one needs to use h instead of H. Table A1 summarizes the possible

situations and corresponding optimal inputs. The justification forthese results is as follows.

For the cases where � is fixed (the first and second rows ofTable A1), the only term of interest in h is given by�p1 cos �� �p2=V� sin���T=m�. Clearly, for �� �max as well asfor �� 0, if �p1 cos�� �p2=V� sin���T=m�> 0, T� � Tmax;otherwise, T� � 0.

For T � 0, one can rewrite h�x; p� as

h�x; p� � p2

mVL0�h� � c��V2 � �D0 � ��h� � c��2�V2

which is a quadratic in �. The constants L0, D0, �, c, and h� can beeasily related to the model through Eqs. (2–4). If p1 > 0, themaximum occurs between the two zeros of the quadratic:

�1 �1

c

�L0p2

Vp1�� h�

�(A5)

Because the parabola is upside down, if �1 < 0, �� � 0; if�1 2 �0; �max�, �� � �1; and if �1 > �max, �

� � �max. If p1 < 0, thesituation ismuch simpler because the parabola is right-side up, and sodepending on the location of �1 in �0; �max�, �� � 0 or �� � �max.

For T � Tmax, one wants to solve for

@h

@���p1

m

�T sin�� @D

@�

�� p2

mV

�T cos �� @L

@�

�� 0 (A6)

There are four cases: The first case is p1 > 0 and p2 < 0. It is easy tosee that @h=@� � 0, which means that �� � �max. Conversely, ifp2 < 0 and p1 > 0, �� � 0. For the two remaining cases, it is neededto compute

@2h

@�2�� 1

m

T cos�� @2D

@�2

!p1 �

p2

mVT sin�

from which it can be seen that if p1 < 0 and p2 < 0, then h�x; p�cannot have a local maximum; therefore, �� � 0, or �� � �max. Thelast case,p1 > 0 andp2 > 0, is more difficult: h�x; p� can eventuallyhave a local maximum because @2h=@�2 < 0. In that case, @h=@� is adecreasing function of �. Thus if @h=@�j��0 < 0, �� � 0; if@h=@�j���max

> 0, �� � 0 as well. The remaining case is when theyhave opposite sign: @h=@�j��0@h=@�j���max

< 0. In that case, oneneeds to solve the transcendental Eq. (A6) numerically, and thesolution is called �2.

Corollary 1: Call p� �p1; p2; p3� the costate of the system. Tosolve efficiently for the optimal input, if p1 > 0 and p2 > 0, solveEq. (A6) numerically for �2 and compare the six possible cases ofProposition 2. Otherwise, compare only the five possible cases ofProposition 2 (no �2).

Table A1 Optimal input ���;T�� given as a function of the costate �p1; p2�� T Condition ���; T��0 �0; Tmax� p1 > 0 �0; Tmax�

p1 < 0 �0; 0��max �0; Tmax� p1 cos�max � �p2=V� sin�max > 0 ��max; Tmax�

p1 cos�max � �p2=V� sin�max < 0 ��max; 0��0; �max� 0 p1 > 0

if ~�1 2 �0; �max� � ~�1; 0�if ~�1 > �max ��max; 0�if ~�1 < �max �0; 0�

p1 < 0 ��max; 0� or �0; 0��0; �max� Tmax p1 < 0 p2 > 0 ��max; Tmax�

p1 > 0 p2 < 0 �0; Tmax�p1 < 0 p2 < 0 ��max; Tmax� or �0; Tmax�p1 > 0 p2 > 0if @H=@�j�0;Tmax� < 0 �0; Tmax�if @H=@�j��max ;Tmax� > 0 �0; Tmax�if @H=@�j�0;Tmax� @H=@�j��max ;Tmax� < 0 � ~�2; Tmax�

76 BAYEN ET AL.

Acknowledgments

This research was supported by NASA under Grant NCC 2-5422,by the Office of Naval Research (ONR) under MURI ContractN00014-02-1-0720, by Defense Advanced Research ProjectsAgency (DARPA) under the Software Enabled Control Program(AFRL Contract F33615-99-C-3014), and by a graduate fellowshipof the Délégation Générale pour l’Armement (France). We are verygrateful to Ilan Kroo for his initial suggestions for the model of theaircraft aswell as for his help in computing the numerical value of theparameters.

References

[1] Bryant, R. E., “Graph-Based Algorithms for Boolean FunctionManipulation,” IEEE Transactions on Computers, Vol. C-35, No. 8,Aug. 1986, pp. 677–691.

[2] Hu, A. J., Dill, D. L., Drexler, A. J., and Yang, C. H., “Higher-LevelSpecification and Verification With BDDs,” Computer Aided

Verification, edited by G. v. Bochmann and D. K. Probst, Vol. 663,Lecture Notes in Computer Science, Springer–Verlag, Berlin, 1993,pp. 82–95.

[3] Mitchell, I., Bayen, A. M., and Tomlin, C. J., “Computing ReachableSets for Continuous Dynamic Games Using Level Set Methods,” IEEETransactions on Automatic Control, Vol. 50, No. 7, 2005, pp. 986–1001.

[4] Lygeros, J., “On Reachability and Minimum Cost Optimal Control,”Automatica, Vol. 40, No. 6, June 2004, pp. 917–927.

[5] Bryson, A. E., Control of Spacecraft and Aircraft, Princeton Univ.Press, Princeton, NJ, 1994, pp. 28–49.

[6] Crandall, M. G., and Lions, P.-L., “Viscosity Solutions of Hamilton-Jacobi Equations,” Transactions of the American Mathematical

Society, Vol. 277, No. 1, 1983, pp. 1–42.[7] Crandall, M., Evans, L., and Lions, P.-L., “Some Properties of

Viscosity Solutions of Hamilton-Jacobi Equations,” Transactions of

the American Mathematical Society, Vol. 282, No. 2, 1984, pp. 487–502.

[8] Isaacs, R.,Differential Games, Wiley, New York, 1965; reprint Dover,New York, 1999, pp. 200–335.

[9] Osher, S., and Sethian, J., “Fronts propagating with Curvature-Dependent Speed: Algorithms Based on Hamilton-Jacobi Formula-tions,” Journal of Computational Physics, Vol. 79, No. 1, 1988, pp. 12–49.

[10] Sethian, J. A., Level Set Methods and Fast Marching Methods,Cambridge Univ. Press, New York, 1999, pp. 305–308.

[11] Osher, S., and Fedkiw, R., Level Set Methods and Dynamic Implicit

Surfaces, Springer–Verlag, New York, 2002, pp. 23–37.[12] Aubin, J.-P., Viability Theory, Systems and Control: Foundations and

Applications, Birkhäuser Boston, Cambridge, MA, 1991, pp. 77–195.[13] Saint-Pierre, P., “Approximation of the Viability Kernel,” Applied

Mathematics and Optimization, Vol. 29, 1994, pp. 187–209.[14] Cardaliaguet, P., Quincampoix, M., and Saint-Pierre, P., “Set-Valued

Numerical Analysis for Optimal Control and Differential Games,”Stochastic and Differential Games: Theory and Numerical Methods,edited by M. Bardi, T. Raghavan, and T. Parthasarathy, Annals of theInternational Society of Dynamic Games, Birkhäuser Boston,Cambridge, MA, 1999, pp. 177–248.

[15] Tomlin, C., Lygeros, J., and Sastry, S., “AGame Theoretic Approach toController Design for Hybrid Systems,” Proceedings of the IEEE,Vol. 88, No. 7, 2000, pp. 949–970.

[16] Tomlin, C. J., Mitchell, I., Bayen, A. M., and Oishi, M. K.,

“Computational Techniques for the Verification and Control of HybridSystems,”Proceedings of the IEEE, Vol. 91, No. 7, July 2003, pp. 986–1001.

[17] Bayen, A. M., Crück, E., and Tomlin, C. J., “GuaranteedOverapproximations of Unsafe Sets for continuous and HybridSystems: Solving the Hamilton-Jacobi Equation Using ViabilityTechniques,” Hybrid Systems: Computation and Control, edited by C.J. Tomlin, and M. Greenstreet, Vol. 2289, Lecture Notes in ComputerScience, Springer–Verlag, New York, 2002, pp. 90–104.

[18] Mitchell, I. M., “Application of Level Set Methods to Control andReachability Problems in Continuous and Hybrid Systems,” Ph.D.Thesis, Scientific Computing and Computational MathematicsProgram, Stanford University, Stanford, CA, Dec. 2003.

[19] Bryson, A. E., and Denham, W. F., “A Steepest-Ascent Method forSolving Optimum Programming Problems,” Transactions of the

American Society of Mechanical Engineers, Vol. 29, No. E, 1962,pp. 247–257.

[20] Bayen, A. M., Santhanam, S., Mitchell, I., and Tomlin, C. J., “ADifferential Games Formulation ofAlert Levels in ETMSData for HighAltitude Traffic,” AIAA Conference on Guidance, Navigation and

Control, AIAA Paper 2003-5341, Aug. 2003.[21] Lee, E. A., “Soft Walls: Frequently Asked Questions,” University of

California, TechnicalMemorandumUCB/ERLM03/31, Berkeley, CA,2003.

[22] McGuire, B., and Neogi, N., “Verifying Correctness of ConflictDetection Devices in the Presence of Uncertainties,” AIAA 1st

Intelligent Systems Technical Conference, AIAA Paper 2004-6548.[23] Rigal, S., “Guidage d’un Véhicule Sous Marin de Type Glider par des

Méthodes de Viabilité, Rapport de DEA AIA,” Ecole Centrale deNantes, Technical Rept., Nantes, France, 2001.

[24] Teo, R., Jang, J. S., and Tomlin, C. J., “Flight Demonstration ofProvably Safe Closely Spaced Parallel Approaches,” AIAA Conference

on Guidance Navigation and Control, AIAA Paper 2005-6197.[25] Eklund, J. M., Sprinkle, J., and Sastry, S., “Template Based Planning

and Distributed Control for Networks of Unmanned UnderwaterVehicles,” IEEEConference onDecision andControl, (in preparation).

[26] Shevell, R., Fundamentals of Flight, Prentice–Hall, New York, 1989,pp. 158–176.

[27] Kroo, I.,Applied Aerodynamics—ADigital Textbook [online textbook],Desktop Aeronautics, Stanford, 2006, http://www.desktopaero.com.(This textbook is online only.)

[28] Prandtl, L., and Tietjens, O., “Fundamentals of Hydro- and

Aeromechanics, Eng. Societies Monographs, 1934, pp. 189–221;reprint Dover, New York, 1957.

[29] Sharma, V., Voulgaris, P. G., and Frazzoli, E., “Aircraft AutopilotAnalysis and Envelope Protection for Operation under IcingConditions,” Journal of Guidance, Control, and Dynamics, Vol. 27,No. 3, pp. 454–465.

[30] Oishi,M. K.,Mitchell, I., Bayen, A.M., and Tomlin, C. J., “Invariance-preserving abstractions of Hybrid Systems: Application to UserInterface Design,” IEEE Transactions on Control Systems Technology,2005 (submitted for publication).

[31] Oishi, M. K., Mitchell, I., Bayen, A. M., Tomlin, C. J., and Degani, A.,“Hybrid Verification of an Interface for an Automatic Landing,”Proceedings of the 41th IEEE Conference on Decision and Control,Vol. 2, IEEE Publications, Piscataway, NJ, Dec. 2002, pp. 1607–1613.

[32] Roskam, J., and Lan, C.-T., Airplane Aerodynamics and Performance,Design, Analysis, andResearch Corp., Lawrence, KS, 1997, pp. 1–547.

[33] “Gas Turbine Engines Specifications,” Aviation Week and Space

Technology [online journal], 17 Jan. 1999, http://www.aviationnow.-com [retreived Dec. 2005].

BAYEN ET AL. 77